Introduction

➢ What is Ransomware

• Ransomware is a form of malware that encrypts victim’s files.

• Ransomware attacks and infects a computer with the intention of extorting

money from its owner.

• A payment is demanded to decrypt the affected files and give access to the
victim which is to be paid mainly through virtual currency such as Bitcoin.

• Ransomware often enters a computer as a computer worm or Trojan horse

through malicious websites, e-mails attachments, software applications etc.

• It is also known as a crypto-virus, crypto-Trojan or crypto-worm.

➢ How seriously do Security Experts take Ransomware? (compared to other threats)

• Ransomware has long been a lurking threat; ransomware went from a

manageable annoyance to a major concern of not only security professionals
but business owners and executives everywhere.

• Their guidance does not state “do not pay under any circumstances”. Rather,
in their “Ransomware Prevention and Response for CISOs” document, while
not encouraging payment as it is clear they don’t prefer payment, they state:
▪ Whether to pay a ransom is a serious decision, requiring the
evaluation of all options to protect shareholders, employees and
customers. Victims will want to evaluate the technical
feasibility, timeliness, and cost of restarting systems from
backup.
• The idea that the FBI says not to pay is actually a myth, and some news
organizations are trying to make that more clear:
▪

• Bleeping Computer published an article that gave an interested statistic:

 ▪ The survey, carried out by research and marketing firm Cyber
Edge Group, reveals that paying the ransom demand, even if for
desperate reasons, does not guarantee that victims will regain
access to their files.
[..]
Of the 38.7% who opted to pay the ransom, a little less than half
(19.1%) recovered their files using the tools provided by the
ransomware authors.

Source : https://riskbasedsecurity.com/2018/10/09/ransomware-to-pay-or-not-
to-pay-that-is-still-a-real-question/

➢ Key statistics of Ransomware

• The first widely recognized ransomware incident actually predates the

emergence of the online threat we recognize today by almost two decades. In
1989, a Harvard academic named Joseph L Popp was attending a World
Health Organization conference on AIDS. In preparation for the conference,
he created 20,000 discs to send to delegates, which he titled “AIDS
Information – Introductory Diskettes.”

• CryptoLocker was one of the most prominent ransomware attacks that

happened between September – December 2013. It infected more than
250,000 systems and earned more than 3 million.

• The Ryuk ransomware is responsible for the large rise in ransomware

payment costs which demands $288,000 per incident.

• Ransomware downtime costs organizations more than $64,000 on average.

➢ Rate of Ransomware attacks

• Starting from around 2012 the use of ransomware scams has grown
internationally. There were 181.5 million ransomware attacks in the first six
months of 2018. This marks a 229% increase over this same time frame in
2017. In June 2014, vendor McAfee released data showing that it had
collected more than double the number of samples of ransomware that quarter
than it had in the same quarter of the previous year.
Source: https://en.wikipedia.org/wiki/Ransomware

• Ransomware attacks have increased over 97 percent in the past two years. -
(Source: PhishMe)
 • A new organization will fall victim to ransomware every 14 seconds in 2019,
and every 11 seconds by 2021. (Source: Cyber Security Ventures)

• In 2019 ransomware from phishing emails increased 109 percent over 2017.
(Source: PhishMe)

➢ Amount of money lost statistics

• An IBM study suggested that over a quarter of all companies would pay more
than $20,000 to hackers to retrieve data that had been stolen.

• Ransomware generates over $25 million in revenue for hackers each year.
(Source: Business Insider)

• The NotPetya ransomware attack cost FedEx $300 million in Q1 2017.

(Source: Reuters)

• The average ransom demand increased in 2018 to $1,077.

• Ten percent of all ransom demands are over $5,000. (Source: Datto)

• 97% of United States’ companies refused to pay a ransom. 75% of Canadian

companies paid, followed by, 22% of German businesses, and 58% in the UK.
Source : https://phoenixnap.com/blog/ransomware-statistics-facts
 How does ransomware work

➢ What types of artefacts does ransomware attack: files, programs, machines?

• Ransomware attacks all types of files, programs, machines etc.

• Ransomware often enters a Pc as a computer worm or Trojan horse

through malicious websites, e-mails attachments, software applications
etc.

• But mainly attacks files in computers, mobiles, workstations and servers.

• Ransomware encrypts victims files and asks to pay a ransom in order to

decrypt and give access to the affected files.

➢ Main techniques ransomware uses to perform an attack

• Ransomware is a malicious software that encrypts data of the victims and

asks for money in order to unlock them.

• Ransomware makes use of some nifty public-key cryptography which is

the same “one-way” (asymmetric) encryption that lets you safely shop
online and access online banking.

• This generates a unique encryption key randomly every time it infects a

computer, which it uses to encrypt your files (using the AES-256
“military grade” cipher algorithm). It then encrypts this using their public
key.

• Only the person who has the private key can get the serial to get the key
used to decrypt the files.

➢ How ransomware attacks are initiated: email attachments, malware hidden in software?

• Malicious Email attachments

Here the attacker sends an email likely from a believable source such
as HR, IT etc. The malicious file is attached to the email. When the
recipient opens the email the ransomware payload will be downloaded
the system will get infected and the files will be held for ransom.

• Exploit kits
 Exploit kits are sophisticated toolkits that exploit vulnerabilities.
Exploit kits are executed when a victim visits a malicious website.
Malicious code hidden in the site in the form of an advertisement
(malvertisement) enters the pc and the pc will get affected.

• Remote Desktop Protocol (RDP)

An increasingly popular mechanism in which attackers
are infecting victims is through Remote Desktop Protocol (RDP).
Using RDP hackers can securely access victim’s data remotely.

• USB and removable media

Another way ransomware can enter a pc is through a USB device.
When you plug the USB malware can enter the pc with any warnings
Or user’s knowledge.

➢ Approaches used to recover from ransomware and how effective they are

• Conduct regular data backups

Conduct regular backups of your files and store them offline (cloud)
so you can access them when you want.

• Update the software

Update both the OS and security components so you can stay
protected from ransomware and other malicious attacks

• Educate end users

End users should be educated on how to get prevented from such
attacks such as creating strong passwords, always using antivirus
software, avoid visiting malicious websites, avoid opening emails
send by unknown users etc.

• Restrict administrative and system access

Ransomware are designed to use an administrative system to perform
their tasks. One can prevent this by decreasing user accounts and
terminating default system administrator accounts.

• Using anti-virus guards, anti-malware software

Anti-malware software such as Malwarebytes can be used to remove
malwares, ransomwares and other malicious files up to a certain
extent.
 Examples of Ransomware attacks

➢ First Ransomware attack

• AIDS Trojan also known as the PC Cyborg virus

• This was released using Floppy disks in 1989
• This was created by a biologist named Joseph Popp
• AIDS Trojan infected the Healthcare Industry which it distributed 20,000
infected disks to attendees of the World Health Organization’s AIDS
conference spanning more than 90 countries
• The victims were asked to pay $189 to PC Cyborg Corporation at a PO
box in Panama
• This was easy to be stopped since it used simple symmetric
Cryptography and tools were soon available to decrypt the files

Source: https://www.knowbe4.com/aids-trojan
 ➢ Biggest Ransomware attack

• WannaCry Ransomware attack

• Targeted computers running Microsoft windows operating system
• This spread rapidly through across a number of computer networks in
May 2017
• Over 230,000 computers have been affected in more than 150 countries
with high profile victims including Telefónica, Britain’s National Health
Service (NHS), FedEx, Deutsche Bahn, and LATAM Airlines
• The WannaCry ransomware cost the National Health Service almost
£100m and led to the cancellation of 19,000 appointments
• This was stopped due to discovery of emergency patches released by
Microsoft and a discovery of a kill switch

Source: https://www.csoonline.com/article/3227906/what-is-wannacry-ransomware-how-doesit- infect-and-

who-was-responsible.html
➢ SamSam Ransomware attack

• Appeared in the late 2015

• Increased with next few years gaining high profile scalps including
the Colorado Department of Transportation, the City of Atlanta,
and numerous health care facilities .
• SamSam targeted organizations in a wide range of sectors, but healthcare
was by far the most affected sector, accounting for 24 percent of attacks
in 2018.
• The vast majority of SamSam’s targets are located in the U.S. Of the 67
organizations targeted during 2018, 56 were located in the U.S. A small
number of attacks were logged in Portugal, France, Australia, Ireland,
and Israel.
• This attack costs an estimated of 1.5 million to the Colorado Department
of Transport
• This hasn’t been stopped yet it has been striking again and again resulting
huge losses
 Sources

• https://riskbasedsecurity.com/2018/10/09/ransomware-to-pay-or-not-to-pay-that-is-still-a-real-
question/

• https://en.wikipedia.org/wiki/Ransomware

• The four most popular methods hackers use to spread ransomware | ITProPortal

• Ransomware: Common Attack Methods - Palo Alto Networks

• How Does Ransomware Work?

• Techniques in ransomware explained – Naked Security

• • Number of ransomware attacks per year 2018 | Statistic

• Understanding the true, hidden costs of ransomware attacks on the business

• Ransomware Statistics 2017-2019 : 50+ Ransomware Stats & Facts

• Ransomware: Best Practices for Prevention and Response

• https://phoenixnap.com/blog/ransomware-statistics-facts

• https://www.knowbe4.com/aids-trojan

• https://www.csoonline.com/article/3227906/what-is-wannacry-ransomware-how-doesit- infect-
and-who-was-responsible.html

• SamSam: Targeted Ransomware Attacks Continue | Symantec Blogs

• SamSam Ransomware attack costs $1.5 million to CDOT - Cybersecurity Insiders